UNC6783 Uses Fake Zendesk and Okta Pages to Bypass MFA and Steal Data

Threat summary

On April 8, 2026, Google Threat Intelligence Group (GTIG) reported on a financially motivated threat actor, tracked as UNC6783, stealing corporate data by abusing customer support and helpdesk workflows, such as Zendesk. The activity targets organizations across multiple sectors and focuses on service providers and support staff.

According to GTIG, UNC6783 primarily targets business process outsourcing (BPO) providers that manage support operations for high‑value enterprises. In several cases, the actor directly engaged internal helpdesk and support teams to gain trusted access to corporate environments. Google reports that dozens of organizations have been affected through this tactic, with attackers exfiltrating support tickets, internal documents, and personal data linked to customers and employees.

Google observed threat actors initiating contact through live chat support and directing employees to fraudulent pages that impersonate legitimate Okta and Zendesk infrastructure. These domains follow predictable patterns, i.e. domain patterns, such as <org>[.]zendesk-support<##>[.]com, that closely resemble official support portals, making them difficult to distinguish during routine support interactions.

Once victims interact with the spoofed login pages, the actors’ phishing kit is used to steal clipboard contents, allowing UNC6783 to bypass multi‑factor authentication. Using the compromised credentials, the attackers enroll their own devices, establishing persistent access that remains effective even after password changes. Google also reported cases where fake security updates were used to deliver remote access malware during support interactions.

The focus of this threat actor is data theft for extortion; stolen information includes Zendesk support tickets, internal records, employee data, and security‑related submissions. After exfiltration, UNC6783 contacts victims directly using Proton Mail accounts and demands payment to prevent public release of the stolen data.

GTIG stated that UNC6783 may be linked to an online cybercriminal persona known as Raccoon, based on overlaps in tactics and extortion behavior. In early April 2026, an individual using the alias “Mr. Raccoon” claimed responsibility for a large data theft involving an India-based business process outsourcing provider supporting Adobe. The actor claimed to have stolen millions of Zendesk support tickets, employee records, HackerOne submissions, and internal documents.

Analysis

This campaign highlights how support tooling and identity workflows are increasingly being used as access vectors. The activity does not rely on exploiting software vulnerabilities in Zendesk or Okta, and there is no indication that either platform has been compromised. Instead, trusted relationships, outsourced operations, and helpdesk processes are leveraged to bypass perimeter defenses and gain high-value access.

Google recommends mitigating this risk by reducing reliance on authentication methods susceptible to phishing and session capture. Phishing-resistant multi-factor authentication using hardware-based FIDO2 security keys limits the effectiveness of clipboard-theft techniques and reduces the risk of unauthorized device enrollment. Regular reviews of newly enrolled authentication devices support detection of unauthorized persistence.

Additional mitigation includes monitoring live chat and support interactions for attempts to redirect staff to external authentication pages, proactively blocking look-alike domains that impersonate Zendesk support infrastructure, and reviewing execution of software installers or updates delivered during support sessions.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up